IdentityServer | compliant OpenID Connect and OAuth | Authentication library

No, replacing Log4j with Logback is not supported. The use of Log4j runs very deep in the product, and cannot be replaced by users. I'd recommend asking another questions about the issue that led you to want to replace the ❤️ of the logging subsystem. Perhaps that has a solution that doesn't require heart surgery.

You would have to mimic the set of requests and responses that would normally go through the browser. For example, you first make an authorization request. The server responds with a 302 to a login page. You can grab the location header and call the login page. Then you would post the username and password to the login form's action, etc.

You can have a look at this example: https://github.com/curityio/token-handler-node-express/blob/master/test/login.sh this is a set of curl commands which perform such login to an instance of the Curity Identity Server.

You should be able to script it as a series of requests in Postman.

Statup.cs in API Client

I finally resolved this issue. But still not satisfied with the methodology. Yet, it works gracefully. What I expected from OAuth2AuthorizationRequestResolver that the request to get the jwt token gets created internally and I should be unaware of the random string generated as code_challenge(to implement PKCE).

I still request to share if somebody has a working example of authenticating and getting token by just providing required confs without me implementing and overriding OAuth2AuthorizationRequestResolver. So, here i go

To implement OAuth2AuthorizationRequestResolver please follow https://developer.okta.com/blog/2020/01/23/pkce-oauth2-spring-boot

then in method addPkceParameters

Initially please try by deleting history in the browser and use "login.microsoftonline.com//v2.0/" as authority string. And options.CallbackPath = "/signin-oidc"; options.ResponseType = "code id_token";

NOTE : The identity platform which is used by Microsoft has a character limit for links. This type of error will appear if the authorization request or link is longer than the said limit,.

Protocols like OpenID Connect, allow state as a parameter in the authorization request, and the identity provider will return that state in the response as you can find that in error page you provided . Because of which the request URL becomes large as sometimes the state parameter is long.(which might be the possible case here)

Try to call the AddOidcStateDataFormatterCache extension method on the IServiceCollection in startup class which uses the distributed cache in the backend like:

I figured it out after spending a lot of days on this.

The problem was that ASP.NET Core Hosted Blazor Webassembly calls the API with the same Origin, so the 'Referrer Policy': 'origin-when-cross-origin' did not restrict the 'Referer' header.

'origin-when-cross-origin' is the standard for 'Referrer Policy', and restricts the 'Referer' header for cross-origin calls.

But when I ran it with Blazor Webassembly and ASP.NET Core Web API each in their own project, they were localhost:7004 and localhost:7170, which are seen as same-site but not same-origin, so it was restricted to only show 'Origin' as the 'Referer' header.

I can't seem to find any way to make the API and Blazor be from the same 'Origin', so I have made my application somewhat less secure for now, by setting in my index.html file in Blazor Webassembly.

My application does not send user sensitive information in the URL ever, and everything is using HTTPS, so it isn't really that much of a problem if the 'Referer' is read by an external source.

I will be looking at a better solution to tell my API from what Team the caller is trying to access content, to check if the caller also has the policy in the JWT to access it, but for now this will do.

Most providers supports the AT+JWT token type and in it is specified that it should include a scope claim:

• JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens

It says:

If an authorization request includes a scope parameter, the corresponding issued JWT access token MUST include a scope claim as defined in section 4.2 of [TokenExchange].

All the individual scopes strings in the scope claim MUST have meaning for the resource indicated in the aud claim.

• On Linux, it's important that any bash deployment scripts that get run have Unix line endings (LF) and not Windows line endings (CRLF).

• Kuduscript will generate scripts with platform-appropriate line endings, but if those scripts are modified, or if you provide your own custom deployment scripts, it's important to make sure that your editor doesn't change the line endings.

• If something seems off with your deployment script, you can always use the Kudu console to delete the contents of /home/site/deployments/tools.

• This is the directory where Kudu caches kuduscript-generated deployment scripts. On the next deployment, the script will be regenerated.

• The error you're currently seeing is a Kudu issue with running node/npm for deployments.

• The easiest and fastest resolution for what you are currently seeing is to specify engines.node in your package.json.

Error: EISDIR: illegal operation on a directory, open '/home/site/wwwroot/wwwroot/Identity/lib/bootstrap/LICENSE'

EISDIR stands for "Error, Is Directory". This means that NPM is trying to do something to a file but it is a directory. In your case, NPM is trying to "read" a file which is a directory. Since the operation cannot be done the error is thrown.

Three things to make sure here

1. Make sure the file exists. If it does not, you need to create it. (If NPM depends on any specific information in the file, you will need to have that information there).
2. Make sure it is in fact a file and not a directory.
3. It has the right permissions. You can change the file to have all permissions with "sudo chmod 777 FILE_NAME".

Note: You are giving Read, Write and Execute permissions to every one on that file.

Alright, so when you have the following configuration: